The port security feature allows you to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. It helps you to control the learning and storing of MAC addresses for each interface. It is used to protect against CAM overflow attacks and rogue equipment, such as hubs and switches, being plugged in. A port security enabled port is called a secure port, and the MAC addresses allowed on that port are called secure MAC addresses.When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address to a secure port, the workstation attached to that port is assured the full bandwidth of the port.

After you have set the maximum number of secure MAC addresses on a port, you can include secure MAC addresses in an address table in one of these ways:

• Configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.

• Allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.

• Configure a number of addresses and allow the rest to be dynamically configured.

  Note	If the port shuts down, all dynamically learned addresses are removed.

• Configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.

A port security violation occurs in either of these situations:

• When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic is different from any of the identified secure MAC addresses, port security applies the configured violation mode.

• If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, port security applies the configured violation mode. This is also known as a MAC move violation.

There are three violation actions for port security. You can configure the port for one of these violation actions:

• Shutdown—A port security violation causes the port to shut down immediately.

• Restrict—A port security violation restricts data, causes the SecurityViolation counter to increment, and causes an SNMP Trap to be generated. In the Restrict action, learning is disabled on the port after 10 violations. Restrict is the default action for port security violations.

• Protect—A port security violation causes data from unknown MAC addresses to be dropped. The SecurityViolation counter is not incremented, and no SNMP Trap is generated.

The following guidelines apply when you configure port security for UCS 6454 Fabric Interconnect ports:

• Port security can be configured only on NIV ports. It is not supported on BIF ports.

• Only one MAC address per VLAN can be secured for an NIV port.

• For port security violations on virtual interfaces, Restrict is the default violation action.

• MAC learning is disabled on a secure port after 10 violations.

• Secure MAC addresses never age out.

• The maximum number of secure MAC addresses that can be configured are as follows:

  • On a Device—A maximum of 8000 secure MAC addresses in addition to one MAC address per port

  • On an Interface—A maximum of 1000 MAC addresses per interface

  • In a VLAN—Only one secure MAC address per port for a VLAN